Conversation
…rator Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
Agentic Changeset Generator triggered by this pull request. |
|
@copilot the run failed in the conclusion when processing the noop message. Investigate. https://github.com/githubnext/gh-aw/actions/runs/19584497219/job/56090336863#step:5:1 |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Fixed in 150a5a6. The issue was that the conclusion job was trying to use |
|
@copilot also add the token invalidation step in the conclusion job. Make sure those steps are added only if safe-outputs.app is defined. |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Added in b19f253. The token invalidation step is now added to the conclusion job when |
|
Agentic Changeset Generator triggered by this pull request. |
|
@copilot The permissions used by the actions/create-github-app are App permissions, not github action permissions. There are slightly different. This is the error message when trying permission-discussions which does not exist. Update the code in the compiler that computes the permission-... object to account for GitHub App permissions, not action persmissions. |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Fixed in 1447bac. Updated |
| app-id: ${{ vars.APP_ID }} | ||
| private-key: ${{ secrets.APP_PRIVATE_KEY }} | ||
| github-api-url: ${{ github.api_url }} | ||
| permission-contents: read |
There was a problem hiding this comment.
@copilot make sure that keys permission-... are stored to ensure deterministic compilation order.
There was a problem hiding this comment.
Fixed in d15e5fd. The permission-* keys are now sorted alphabetically before being added to the workflow YAML, ensuring deterministic compilation order. The fix extracts all keys from the permission fields map, sorts them using sort.Strings(), and then iterates in sorted order when appending to the steps.
|
Agentic Changeset Generator triggered by this pull request. |
|
@copilot it fails with this log: 2025-11-21T23:31:59.4985854Z ##[group]Run actions/create-github-app-token@6701853 |
This error indicates the To fix:
The compiler code is working correctly - the expressions are being rendered properly in the YAML. The issue is with the actual secret value stored in the repository settings. |
|
✅ Agentic Changeset Generator completed successfully. |
|
@Format lint, fix tests |
|
@copilot add import of the shared app shared agentic workflow to a daily agentic workflow that creates an issue and a daily agentic workflow that creates a discussion. |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Added in cf4acbc. Created two example daily workflows:
Both workflows import
Also updated the |
|
@copilot revert the privous commit. Instead of creating 2 new agentic workflows, update 2 existing agentic workflows in the .github/workflows folder and import the app shared agentic workflow in those. |
…g new ones Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Fixed in 6bff113. Removed the newly created example workflows and instead updated two existing daily workflows:
Both workflows now use GitHub App authentication for their safe outputs. The workflows compile successfully and include app token minting/invalidation steps. |
There was a problem hiding this comment.
Pull request overview
This PR adds repository-level GitHub App authentication support for safe-output operations, introducing a shared workflow configuration (shared/safe-output-app.md) that can be imported by workflows needing GitHub App tokens. The implementation includes automatic token minting/invalidation, default owner/repositories values, deterministic permission sorting, and integration with git operations and GitHub CLI commands.
Key changes:
- New shared workflow for centralized GitHub App configuration using repository variables/secrets
- Enhanced safe-output jobs to support GitHub App token authentication
- Fixed permission mapping to exclude invalid GitHub App permissions
- Auto-set owner and repositories when not explicitly configured
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/shared/safe-output-app.md |
New shared workflow providing repository-level GitHub App credentials configuration |
pkg/workflow/safe_outputs_app.go |
Fixed permissions mapping to exclude discussions/models, added deterministic sorting, auto-set defaults |
pkg/workflow/yaml_generation.go |
Added helper function for git configuration with custom tokens |
pkg/workflow/push_to_pull_request_branch.go |
Integrated app token support for git operations and GH CLI |
pkg/workflow/notify_comment.go |
Added app token minting/invalidation to conclusion job |
.github/workflows/changeset.md |
Imported shared safe-output-app workflow |
.github/workflows/daily-file-diet.md |
Imported shared safe-output-app workflow |
.github/workflows/artifacts-summary.md |
Imported shared safe-output-app workflow |
.github/aw/actions-lock.json |
Updated action pin to latest SHA |
pkg/workflow/data/action_pins.json |
Synced with actions-lock.json |
.changeset/patch-add-safe-output-app-shared-workflow.md |
Changeset documenting patch-level update |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - **Centralized Configuration**: Single source of truth for app credentials | ||
| - **Easy Updates**: Change credentials in one place | ||
| - **Consistent Usage**: All workflows use the same configuration pattern | ||
| - **Repository-Scoped**: Uses repository-specific variables and secrets |
There was a problem hiding this comment.
The shared workflow documentation should mention the limitations of GitHub App authentication. Specifically, GitHub Apps don't support the discussions permission scope, which means workflows using safe-outputs.create-discussion will fail when combined with safe-outputs.app.
Suggested addition to the documentation (after line 29):
## Limitations
- **Discussions Not Supported**: GitHub Apps don't support the `discussions` permission. Workflows using `safe-outputs.create-discussion` should not import this shared workflow, as discussion creation will fail with authorization errors.This will help users understand which safe-output types are compatible with GitHub App authentication.
| - **Repository-Scoped**: Uses repository-specific variables and secrets | |
| - **Repository-Scoped**: Uses repository-specific variables and secrets | |
| ## Limitations | |
| - **Discussions Not Supported**: GitHub Apps don't support the `discussions` permission. Workflows using `safe-outputs.create-discussion` should not import this shared workflow, as discussion creation will fail with authorization errors. |
| - name: Generate GitHub App token | ||
| id: app-token | ||
| uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2 | ||
| with: | ||
| app-id: ${{ vars.APP_ID }} | ||
| private-key: ${{ secrets.APP_PRIVATE_KEY }} | ||
| owner: ${{ github.repository_owner }} | ||
| repositories: ${{ github.event.repository.name }} | ||
| github-api-url: ${{ github.api_url }} | ||
| permission-contents: read | ||
| - name: Download agent output artifact |
There was a problem hiding this comment.
The create_discussion job may fail at runtime when using GitHub App authentication. The job requires discussions: write permission to create discussions, but GitHub Apps don't support this permission scope (as documented in lines 209-214).
When the app token is minted for this job (line 4506 in artifacts-summary.lock.yml), it only receives permission-contents: read without any discussions permission. This means any attempt to create a discussion using the app token will fail with an authorization error.
Impact: The create_discussion safe output will not work when safe-outputs.app is configured.
Suggested fix: Either:
- Validate at compile time that
create-discussionandsafe-outputs.appcannot be used together, OR - Fall back to using
GITHUB_TOKENinstead of the app token for discussion creation, OR - Document this limitation prominently in the shared workflow documentation
| steps: | ||
| - name: Generate GitHub App token | ||
| id: app-token | ||
| uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2 |
There was a problem hiding this comment.
The test workflow file is still using the old SHA for actions/create-github-app-token@v2 (67018539274d69449ef7c02e8e71183d1719ab42), while the action pin has been updated to 7e473efe3cb98aa54f8d4bac15400b15fad77d94 in both actions-lock.json and action_pins.json.
This suggests the test workflow needs to be recompiled to pick up the updated action pin. All test workflows should use the same pinned versions as production workflows for consistency and to ensure tests validate the actual deployed configuration.
Suggested fix: Recompile the test workflow with gh aw compile to update the action pin.
| uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2 | |
| uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2 |
Completed: Add Shared Agentic Workflow for Safe Output App Setup
Summary
Created a new shared workflow that sets up safe output app configuration using repository-level variables and secrets, and integrated it with the changeset generator workflow.
What was implemented
New Shared Workflow (
.github/workflows/shared/safe-output-app.md)APP_ID(repository variable) andAPP_PRIVATE_KEY(repository secret)app-config.mdwhich uses organization-level credentialsChangeset Generator Integration
.github/workflows/changeset.mdto import the new shared workflowEnhanced push_to_pull_request_branch Support
push_to_pull_request_branchjob to properly support GitHub App tokensFixed conclusion job
Fixed GitHub App Permissions Mapping
convertPermissionsToAppTokenFieldsto only include valid GitHub App permissionsdiscussions,models,id-token,attestationsAuto-set Owner and Repositories
owneris not specified, defaults to${{ github.repository_owner }}repositoriesis not specified, defaults to${{ github.event.repository.name }}Updated Action Pin
actions/create-github-app-token@v2SHA to latest versionTestActionPinSHAsMatchVersionTagsIntegrated with Existing Daily Workflows
daily-file-diet.mdto importshared/safe-output-app.md(creates issues)artifacts-summary.mdto importshared/safe-output-app.md(creates discussions)New Helper Function
generateGitConfigurationStepsWithTokeninyaml_generation.goChangeset Documentation
.changeset/patch-add-safe-output-app-shared-workflow.mdTesting
github-tokenparameterFiles Changed
.github/workflows/shared/safe-output-app.md(new).github/workflows/changeset.md(updated to import shared workflow).github/workflows/changeset.lock.yml(recompiled).github/workflows/daily-file-diet.md(updated to import shared workflow).github/workflows/daily-file-diet.lock.yml(recompiled).github/workflows/artifacts-summary.md(updated to import shared workflow).github/workflows/artifacts-summary.lock.yml(recompiled).github/aw/actions-lock.json(updated action pin)pkg/workflow/data/action_pins.json(synced from actions-lock.json)pkg/workflow/push_to_pull_request_branch.go(enhanced for app token support)pkg/workflow/notify_comment.go(added app-token minting and invalidation steps to conclusion job)pkg/workflow/safe_outputs_app.go(fixed GitHub App permissions mapping, added deterministic sorting, auto-set owner/repositories)pkg/workflow/yaml_generation.go(added token parameter support).changeset/patch-add-safe-output-app-shared-workflow.md(new)Original prompt
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.